While employees are increasingly becoming informed about the threat phishing attacks pose to organizations, attackers are now combining other types of vectors to compromise their targets. The one we see on an increase is the telephone. This vector is called vishing.
What is vishing?
Vishing, also known as voice elicitation or voice phishing, is an attack method in which an organization’s employees are contacted via the telephone. The caller attempts to extract information necessary to compromise an organization. Vishing attackers will often use spoofing technology, exploiting trust in caller ID systems to establish credibility. Vishing attacks are low budget for the attacker and difficult to track by responders. Attackers rarely limit their targets to a single organization, industry or employee.
Why should my security team care about vishing?
Attackers will always look for an easy way in. Ideally they will be able to get insiders to help by engaging with them and building trust relationships. The telephone is a great avenue to do this, and therefore vishing is becoming more commonly used as an attack vector. While phishing emails need to evade spam folders, a phone call, especially into the Sales, HR or Customer Service department, is far more likely to be answered. According to a recent report by PinDrop Security, enterprise phone fraud incidents are up 30% since 2013, and it’s not just enterprises that are suffering. Average consumers are at risk, too. The report also indicates that U.S. consumers receive over 86 million scam phone calls per month. If individuals are unable to safeguard their own data, how can they expect to protect their organizations?
Because vishing is a growing problem, many organizations haven’t properly trained employees to look out for malicious telephone activity. Therefore vishing calls often go unreported and often unnoticed. Many times, attackers aren’t looking for money, passwords or other confidential data directly. The call could be very discrete and even seem innocuous. The main goal is to obtain information. Even the tiniest, most insignificant detail, such as weekly delivery date or the type of printer used, can be used to construct a believable follow-on pretext.
Sometimes attackers are looking to obtain the information necessary to impersonate an employee or representative of an organization. For example, an attacker could pose as a representative from corporate headquarters and call individual employees to “update a database” and walk away with enough information to impersonate the employee called. In this instance, the attacker would ask for bits of information such as employee ID numbers, social security numbers or other information that could be used to impersonate the employee and breach the organization by conducting future vishing calls with internal support. By this point the attacker may have enough information to pass any knowledge-based authentication, or the ability to talk their way around it. Using the information obtained from just a few phone calls, the attacker could execute an account takeover to breach the organization’s network.
Since there is no technology that can save employees from vishers or stop an attack completely, the only way to defend against vishing attacks is through education. It is important to properly educate employees how to act before, during and after a vishing attacks. Awareness programs that employ automated phone systems to conduct vishing training are not adequately preparing employees to combat real world attackers. It’s easy to hang up on an automated system; but do your employees have the training necessary to resist a friendly real person? Real vishing attacks are executed by real callers, therefore assessment and training should, as well.
Securing your organization against vishing attacks with VaaS
Social-Engineer’s Vishing as a Service offering allows organizations to adequately test and train their employees to respond to vishing attacks.
By conducting an initial wave of realistic vishing calls, an organization’s baseline susceptibility to vishing attacks can be established. From there each organization is provided with a thorough debriefing that focuses on a remediation and education program catered to meet the organization’s specific needs. This process is then repeated with enhanced and advanced methods of vishing awareness education. Rather than simply training staff to look for suspicious activity, the Social-Engineer team teaches users to apply critical thinking in order to recognize vishing calls. Employees are trained on how to properly report and respond suspicious calls without handing over any information. By conducting ongoing and regular vishing assessment and training campaigns, organizations can equip employees with the knowledge to stop phone fraudsters in their tracks.
For more information on Social Engineer’s VaaS offerings visit our VaaS Service Page.